How Israel Turned Into a Hacker Haven

The story is well known. Aleksey Burkov, a hacker with Russian citizenship, was awaiting extradition to the United States because of his online activities, including alleged fraud, identity theft, computer intrusion and money laundering. Washington has exerted a lot of pressure on Israel to extradite Burkov, but Moscow insisted that he be returned to Russia.

Why would Russia want him back? Perhaps because of his exceptional hacking skills. Some media reports asserted that “he knew too much.” The Kremlin seemed concerned enough that it took the trouble to arrest Israeli Naama Issachar and sentence her to a disproportionate 7.5 years for possession of a small amount of hashish.

In the end, Burkov was extradited and Issachar was freed in exchange for a different Israeli concession, land in central Jerusalem being transferred to Russian control.

Another question is what Burkov was doing in Israel to begin with? He is certainly not the only hacker to have made his way to Israel. In recent years, Israel has turned into a hacker haven, a preferred destination for those engaged in malicious online activity, especially from Russian and Ukraine. Gangs of cyberattackers are based on Israel, according to Vitali Kremez, who heads research for the Israeli-U.S. cybersecurity company SentinelOne and a leading cybersecurity researcher.

“Israel is a special place. It’s a paradise for cybercriminals, especially carders,” said Kremez, referring to hackers who specialize in stealing credit cards. “You can use stolen credit cards in Israel for shopping, to buy electronics, diamonds and luxury goods and then re-sell them.”

He points to several reasons why Israel has turned into a hacker haven. For one, it’s an easy place for someone who wants to make use of stolen money. It’s an economy where you could do cash transactions – that is, until recently. Although they are too new to judge its effectiveness yet, new rules on cash use limit cash transactions to a ceiling of 10,000 shekels ($2,920 at current exchange rates).

Even if the new cash restrictions prove effective, hackers enjoy an environment where credit card security is relatively poor because Israel has yet to deploy the EMV security standard, which requires users to enter a four-digit security code when they make a credit card purchase. EMV is being introduced gradually starting next month until July 2022.

Another attraction is the ease of setting up a company in Israel, said Kremez. A hacker, for example, can set up a restaurant business and pay it using stolen credit cards. Some hackers set up dedicated cyberattack companies.

“There’s a lot of cybertalent, so you set up a company and recruit staff with higher-than-average salaries. Vis a vis the public, the company [represents itself as a cyberconsulting firm … Some of the staff may even believe that that is what the firm does – searching for clients’ [network] vulnerabilities. But in practice, it’s engaged in cybercrime,” he said.

Some of the hackers are Jewish or can show they have Jewish roots, which makes it easy for them to obtain Israeli citizenship. Israel doesn’t rush to extradite Jews to other countries, even when there are serious accusations against them, such as the case of Malka Leifer, an Australian high school principal who fled to Israel amid allegations that she sexually abused her students.

Israel’s proximity to Russia and frequent flights makes it easy for hackers to visit home when they need to.

“The unwritten rule is that so long as a hacker isn’t attacking Russian targets, the government doesn’t care. On the contrary, they bring money into the Russian economy,” said Kremez.

Boaz Dolev, the CEO of the cyberintelligence company ClearSky, says he can often get a sense of where hackers are based from his investigations of hacking incidents after they have occurred. “I can’t see if a Russian hacker lives here or not, but I do know when they first used a virus [for hacking]. In some cases, we see that [viruses] are being tested for the first time in Israel,” he said.

ClearSky conducts its probes using Google’s VirusTotal engine, which aggregates data on anti-virus software from scores of major world providers. Hackers often experiment with new viruses by installing them on a small number of computers to see whether anti-virus software will detect them. As a result, said Dolev, “Our sense is that over time [Israel] research and development centers have been set up for developing attacks that are later used globally,” he said.

In the case of Burkov, not a lot is known. He arrived in Israel in 2015 for a vacation and was arrested at the request of the United States. Since then, he has been engaged in a legal struggle to block his extradition.

Brian Krebs, a renowned journalist and blogger in the field of cybersecurity, called Burkov an “elite cybercrook” and one of the most talented hackers in the world today. One of Burkov’s two main activities is operating Cardplanet, an online marketplace for stolen credit card numbers. At its peak, it had details of 150,000 cards, most of them belonging to Americans. His other main activity is DirectConnection, a closed online community of online criminals for sharing information and tools. In the U.S., Burkov faces a prison term of up to 15 years.

In August 2018, the U.S. Justice Department announced the arrests of thee cyberhackers living in different countries but all holding Ukrainian citizenship. Dmytro Fedorov, Fedir Hladyr and Andrii Kopakov, investigators said, belonged to a gang called FIN7 that had broken into hundreds of computer networks, including the restaurant chain Chipotle, and stolen millions of credit card details and sold them to others.

FIN7 used a front company called Combi Security, purportedly headquartered in Russia and Israel, to provide a facade of legitimacy to recruit hackers to join the criminal enterprise, the Justice Department alleged. Kremez estimated that the company employed “dozens” of Israelis.

FIN7 still active

TheMarker found no company called Combi Security registered in Israel. Nevertheless, the cybersecurity company Kaspersky says that despite the arrests, FIN7 remains active.

The story of Vladislav Horohorin offers another perspective on cybercrime in Israel. He was born in Ukraine in September 1982 and immigrated to Israel in 1999 with his mother and served in the army. In an interview he gave in 2017, to the government television network Russia-24 he recalled his first hack – of an internet provider because his family didn’t have enough money to pay for the service. At 18, when he was drafted into the Israel Defense Forces, he hacked into an army computer to adjust his file. He was arrested and discharged.

In the early 2000s, Horohorin turned to cybercrime. By his own testimony, he began by stealing credit cards so he could pay for online pornography. As he perfected his skills, he set up an online marketplace called CarderPlanet to trade stolen cards. The site is known for an animation video it uses for “marketing,” in which it makes fun of stupid Americans who let their card details get stolen. Horohorin went on to other activities, including a ticket-forgery operation.

Horohorin did all this in Israel under the noses of the authorities. In 2010, he was arrested in Nice, where he owned a $3 million home, as he was boarding a flight to Warsaw. Two years later, after he failed to block an extradition order, he was sent to the U.S. and in 2013 sentenced to 88 months in prison. He was released in February 2017.

Back in Israel

These days Horohorin is back in Israel, Tel Aviv to be precise. According to one source, he was working for a company called Cybersec, which was founded by his American lawyer and hires reformed hackers. In a TV interview, Horohorin said he had no income or savings.

Kremez says he doubts Horohorin can return to Russia. He served only half his sentence, and Russian authorities are likely to suspect that he gave the Americans information valuable enough for them to release him early.

The combination of Israel’s links to Western economies and its weak enforcement not only attracts immigrants but native hackers as well. One example is Gal Vallerius, who quietly traded illegal drugs on the dark web for years, until he traveled to the U.S. in 2017 and was arrested by the Federal Bureau of Investigation. Prior to that, Vallerius had operated phishing sites that he used to plant malicious codes in victims’ computers.

Another case involves Gery Shalon and Ziv Orenstein, who were arrested in 2015 in Israel after they were accused of breaking into 80 million accounts held at the U.S. bank JPMorgan Chase and used them to manipulate share prices.

What can be done to prevent Israel from being a refuge for hackers?

“One step would be to require the EMV authentic mechanism on credit cards, including making customer identification - checking the identity of the payer using an ID. In the U.S., every cashier knows how to do it,” said Kremez.

He added: “The identity of those setting up a company should be verified with a background check. It is advisable to limit the use of cash in the economy, and to run fraud detection systems in retail chains.”

As for Israeli enforcement authorities, the police defended itself saying its anti-fraud unit is making a “determined and professional” effort to crack down on cybercrime. “We don’t accept the assertion that Israel has turned into a paradise for hackers,” it said it a statement.